# Regular Expression Safety (ReDoS) One-sentence definition: Avoid regex patterns whose worst-case runtime can be exploited for denial of service. ## Key Facts - Watch for catastrophic backtracking; test with fuzzed inputs. - Prefer linear-time engines or safe patterns; limit input lengths/timeouts. - Precompile and reuse patterns; sandbox untrusted user-supplied regex. - **Verify:** check official (ISC)² CBK and current exam outline. ## Exam Relevance - Identify vulnerable patterns like `(a+)+`. **Mnemonic:** “**Regex fast, or regex last**.” ## Mini Scenario Q: API validates emails with heavy regex—CPU spikes—fix? A: Use simpler pattern or dedicated parser; add timeouts/length caps. ## Revision Checklist - One dangerous pattern type. - Two mitigations. - Sandbox rule. ## Related [[Input Validation and Output Encoding]] · [[Security Testing Strategy (Unit Integration E2E Fuzz)]] · [[API Security Fundamentals (REST GraphQL gRPC)]] · [[Application Telemetry and Privacy Controls]] · [[Domain 8 - Index]]